I have a project and for this project, my PHP page located on a server should accept some parameter by my clients. The “problem” is that I need to run some commands that needs root privileges, basing them on external input.
For example:
$p = $_GET['param'];
shell_exec("iptables " . $p);
Now assuming that I will escape special characters to avoid vulnerabilities, just escaping "| & ; "etc… In my opinion, by proceeding with this method is not secure because a complex malicious expression built by an attacker could hack it anyway. Of course, the page will not execute these commands as root for really, but thanks to this method I will be able to assign root privileges only for few commands on another user. These commands will be executed with that privileges by shell_exec call by the PHP page.
My question is the following: there are any more secure options to reach my goal?